Security B-Sides MSP 2016 Megan Carney "Macro vs Micro: How (and why) to write your own alerts"
Companies that specialize in endpoint security look for patterns across their customer base, then apply those signatures or heuristics to your environment. This is a good thing, even though it often results in false positives. Analysts dedicated to your environment know what’s normal and what’s not. This is also a good thing. In today’s world, you need both perspectives. Modern attackers use camouflage tactics to hide their activity because they’re focused on stealing information, for profit or for country. To combat this, you need to combine the macro perspective endpoint security companies give you with the micro perspective your analysts have. This is why you write your own alerts. This presentation will focus on a case study in how Yelp uses intelligence from our DNS resolver to find infected machines, based on deviations from normal patterns in our environment.
Slides can be found here: